The daily volume of cyberattacks that target applications and the frequency of associated breaches is overwhelming to even the most experienced security professionals. We cover important lessons learned from F5 Labs’ analysis of global attack data and breach root causes that are attributed to application threats. This helps you understand attackers’ top targets and motives and the changing application security landscape of systems used to launch application attacks. Addressing these threats requires practical controls that organizations can be successful with. We offer tips and tricks that you can work on immediately to address common application threats and appropriately prioritize your application security controls.

2. Why Threat Intelligence?
Spying on attackers helps you get prepared for an attack.

3. Cyber
Security
IoT
Threat
Actors
Source
Trends
Target
Trends
F5-Sourced Global Threat Intelligence
Trends
Application
Targets
Identity
Targets
Zero-day
Exploits
Incident
Response
Learnings
Malware
DDoS
Attacks
Encryption
Identity
Exploits
Application
Attacks
Threats Vulnerabilities

4. External Partners
Security professionals researching threats and
publishing intelligence.
F5
Teams
Sales
Engineering
IT Security
Product
Development
Office of
CTO
Whatcom
Cyber
School
UW
Cyber
School
F5 Security
Marketing
PD Threat
Research
Security
Operations
Center
Product
Management
Guest
CISOs
WhiteHat
Security
Silverline
F5 Security
Incident
Response
Team
Loryka InfraGard Webroot
Randori
ASU
Cyber
School

5. The business
The reason people
use the Internet
The gateway
to DATA
the target
APPLICATIONS ARE

6. 765Average # of
Apps in use per
enterprise
6 min
before its scanned
If vulnerable, you
could be PWND in
<2 hrs
1/3Mission critical

7. 1,106Average # of Apps in
use per Financial
enterprise

8. 771Average # of
Apps in use per
HEALTHCARE
enterprise

9. 680Average # of
Apps in use per
Public Sector

10. TLS
Access
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Abuse of functionality
Man-in-the-middle
DDoS
Malware
API attacks
Injection
Cross-site scripting
Cross-site request forgery
Certificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
App services
DNS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
Network
DDoS
Cross-site scripting
Dictionary attacks

11. TLSCertificate spoofing
Protocol abuse
Session hijacking
Key disclosure
DDoS
Man-in-the-browser
Client
Session hijacking
Malware
Cross-site request forgery
Cross-site scripting
DNS
DNS hijacking
DDoS
DNS spoofing
DNS cache poisoning
Man-in-the-middle
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Network
Dictionary attacks
Abuse of functionality
Man-in-the-middle
DDoS
Malware
API attacks
Injection
Cross-site scripting
Cross-site request forgery
App services
Access
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing

12. Top 20 targeted ports:
Country
Vietnam
China
Russia
India
Indonesia
Brazil
United States
Thailand
Turkey
Taiwan
Port Service
445 SMB
22 SSH
80 HTTP
23 Telnet
3389 MS RDP
1433 MS SQL
8445 JSON RCP
81 HTTP
8080 HTTP
139 Netbios
5555 MS CRM
2323 Telnet
8291 Mikrotik
443 HTTPS
25 SMTP
3306 MySQL
8888 NewsEDGE
5900
Remote
Framebuffer
21 FTP
8088 Radan HTTP

13. Pos Country
1 Vietnam
2 China
3 Russia
4 India
5 Indonesia
6 Brazil
7 United States
8 Thailand
9 Turkey
10 Taiwan
11 Venezuela
12 Ukraine
13 Mexico
14 Philippines
15 Iran
16 Egypt
17 Chile
18 Pakistan
19 Italy
20 Colombia
1
2
3
4
5
6
7
8
9
10
11
14
13
12
15
19
16
20
17
18
Top 20 Source Countries:

14. Top Countries Targeting US
(by IP location, 12/1/2018 - 3/1/2019)

15. Username Password Username Password Username Password Username Password
root root ts ts manager manager123 plcmspip plcmspip
admin admin bot bot teamspeak3 teamspeak3 weblogic weblogic
user user deploy deploy nobody nobody redhat redhat123456
test test monitor monitor csgoserver csgoserver developer developer
ubuntu ubuntu administrator administrator test2 test2 public public
ubnt ubnt bin bin demo demo student student
support support default nopass 0 webmaster webmaster
oracle oracle adm adm a a osmc osmc
pi raspberry vagrant vagrant minecraft minecraft c c
guest guest anonymous any@ alex q1w2e3r4t5 server server
postgres postgres uucp uucp postfix postfix supervisor supervisor
ftpuser asteriskftp www www glassfish glassfish 22 backup
usuario usuario jenkins jenkins jboss jboss hdfs hdfs
nagios nagios apache apache master master linux linux
1234 1234 sshd sshd ghost ghost postmaster postmaster
ftp ftp PlcmSpIp PlcmSpIp vnc vnc csserver csserver
operator operator cisco cisco info info prueba prueba
git git sinusbot sinusbot 111111 856149100 matt matt
hadoop hadoop user1 user1 debian debian vyatta vyatta
ts3 ts3 backup backup centos centos hduser hduser
teamspeak teamspeak Management TestingR2 testuser testuser nexus nexus
mysql mysql steam steam system sytem ethos live
tomcat tomcat mother fucker www-data www-data Admin Admin
service service dev dev test1 test1 mc mc
butter xuelp123 zabbix zabbix upload upload telnet telnet
Top 100
Admin
Creds
Used in
SSH Brute
Force
Attacks

16. 58%
56%
6%
4%
3%
2%
2%
1%
1%
PHP
SQL
Exchweb
Comments
Cart
Betablock
Admin
Affiliates
Login
Injection → PHP & SQL

17. 81%
8%
3%
2%
1%
0%
0%
0%
0%
PHP
SQL
Admin
Comments
ASP
Exchweb
Cart
Betablock
Affiliates
2018 Application
Attacks
Injection → PHP

18. 2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known
vulnerabilities
10. Insufficient logging
and monitoring
2013 OWASP Top 10
1. Injection
2. Broken authentication and session
management
3. Cross-site scripting (XSS)
4. Insecure direct object references
5. Security misconfiguration
6. Sensitive data exposure
7. Missing function level access control
8. Cross-site request forgery (CSRF)
9. Using components with known
vulnerabilities
10. Unvalidated redirects and forwards
2017 OWASP Top 10
1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML external entities (XXE)
5. Broken access control
6. Security misconfiguration
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known
vulnerabilities
10. Insufficient logging
and monitoring

19. Vuln released
Continuous
improvement
Firewall what
you can’t fix
Applicable?
Test
Apply & Retest
1.7
0.8
0.5
0.4
0.5
1.4
0.9
0.6
0.2
0.3
2014 2015 2016 2017 2018
Average Days Between
Vulnerability Releases
Critical High
9-12
hours

20. Access
(mostly
phishing and
email)
Web
(mostly
injection)
Industry

21. Attack
1. Mobile Apps
2. Direct APIs
Basic Security Fails
1. Authentication
2. Injection
3. Permissions
2011
2018
2019
Aug 2018 – SalesForce
Mar 2018 – Google
Mar 2018 – Binance
Apr 2018 – RSA Conference App
Aug 2018 – T-Mobile
Sep 2018 – Apple MDM
Sep 2018 – British Airways
Oct 2018 – Girl Scouts
Oct 2018 – Quoine
Nov 2017 – Nov 2018: US Postal Service
Oct 2018 – Github
Jan 2018 – Tinder
Sep 2018 – Facebook
Aug 2017 – Instagram
Mar 2015 – Tinder
July 2018 – Venmo
Feb 2017 – WordPress
Feb 2019 - RequestBin
2017
2016
2015
Sep 2011 – Westfield
2012
2013
2014

22. Basic Security Control Failures
1. Exposed DB with weak/no auth
2. Weak Access Control
3. Configuration Error
2011
2018
2019
Dow Jones High Risk watchlist DB
China surveillance program DB
Kremlin DBs
Ascension DB
Oklahoma FBI files DB
2017
2016
2015
2012
2013
2014
Hadoop
Guardzilla records DB
Telsa AWS acct
Alteryx DB
Aggregate IQ DB
Verizon customer DB
Robotics manufacture for cars DB
GoDaddy architecture
IPv6 ISP DB
Tea Party DB
Booze Allen and Pentagon DB
JC Penny
Stein Mart DB
Title Nine Sports DB
North American Power and Gas DB
Integrated Practice Solutions DB
Capital Digestive Care DB
RNC voter DB
Accenture’s Cloud Platform
Army Intelligence and Security Command DB
DOD Surveillance DB
Credit Repair Service DB
Viacom’s master controls
Dow Jones/WSJ/Barrons customer DB
WWE Fan DB
Uber Github account
Mexican voter DB
Microsoft Business Productivity Online Suite

23. Email sent from North Korean APT
related to Bangladesh Bank heist.
Email sent from North Korean ATP
in Sony compromise.
Phishing emails are
3 times more likely
to have a malicious
link than a malicious
attachment.
3X
MALICIOUS
LINK
MALICIOUS
FILE

24. Encryption is an Attacker Disguise
of phishing domains
use HTTPS to appear
more legitimate
93%

25. Attackers Hide
Malware in Encryption
of all Internet
traffic is encrypted70%
of malware phones
home over port 44368%

26. Identity Crisis
20%
of employees would sell
their work password
10%
for less than $1,000

28. Twitter LinkedIn Email
Updates
(1 / week)
RSS
Tell us what you want to read about – or write for us!
Stay Up to Date by Following Us!